AnsweredAssumed Answered

Is 'Validate Certificate Assertion' checking signatures?

Question asked by Tomasz-Kowalski-in4mates on Sep 18, 2018
Latest reply on Sep 19, 2018 by Tomasz-Kowalski-in4mates

In 'Validate Certificate Assertion' documentation there is this disclaimer:

A valid certificate does not ensure authentication. In other words, the Gateway does not
check to ensure that the user possesses a private key.

However if one runs this assertions against ${request.ssl.clientCertificate} then it can be sure that client possesses the private key related to certificate in ${request.ssl.clientCertificate}. Am I right?

However what does the Validate Certificate Assertion really do? Does it only check that subject&issuer path goes to trust anchor, or does it validate certificates signatures are OK (meaning certificates are not fake) while going along the path to trust anchor?

Outcomes